PROTASIS Final Workshop
March 26th, 2020 - Amsterdam, The Netherlands

Title: No More Chasing Waterfalls: A Measurement Study of the Header Bidding Ad-Ecosystem

Abstract: In recent years, Header Bidding (HB) has gained popularity among web publishers, challenging the status quo in the ad ecosystem. Contrary to the traditional waterfall standard, HB aims to give back to publishers control of their ad inventory, increase transparency, fairness and competition among advertisers, resulting in higher ad-slot prices. Although promising, little is known about how this ad protocol works: What are HB’s possible implementations, who are the major players, and what is its network and UX overhead? To address these questions, we design and implement HBDetector: a novel methodology to detect HB auctions on a website at real-time. By crawling 35,000 top Alexa websites, we collect and analyze a dataset of 800k auctions. We find that: (i) 14.28% of top websites utilize HB. (ii) Publishers prefer to collaborate with a few Demand Partners who also dominate the waterfall market. (iii) HB latency can be significantly higher (up to 3× in median case) than waterfall.

Title: Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid to Ask

Abstract: User data is the primary input of digital advertising, fueling the free Internet as we know it. As a result, web companies invest a lot in elaborate tracking mechanisms to acquire user data that can sell to data markets and advertisers. However, with same-origin policy, and cookies as a primary identification mechanism on the web, each tracker knows the same user with a different ID. To mitigate this, Cookie Synchronization (CSync) came to the rescue, facilitating an information sharing channel between third parties that may or not have direct access to the website the user visits. In the background, with CSync, they merge user data they own, but also reconstruct a user’s browsing history, bypassing the same origin policy. In this paper, we perform a first to our knowledge in-depth study of CSync in the wild, using a year-long weblog from 850 real mobile users. Through our study, we aim to understand the characteristics of the CSync protocol and the impact it has on web users’ privacy. For this, we design and implement CONRAD, a holistic mechanism to detect CSync events at real time, and the privacy loss on the user side, even when the synced IDs are obfuscated. Using CONRAD, we find that 97% of the regular web users are exposed to CSync: most of them within the first week of their browsing, and the median userID gets leaked, on average, to 3.5 different domains. Finally, we see that CSync increases the number of domains that track the user by a factor of 6.75.

Title: ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks

Abstract: The Rowhammer vulnerability common to many modern DRAM chips allows attackers to trigger bit flips in a row of memory cells by accessing the adjacent rows at high frequencies. As a result, they are able to corrupt sensitive data structures (such as page tables, cryptographic keys, object pointers, or even instructions in a program), and circumvent all existing defenses. This paper introduces ZebRAM, a novel and comprehensive software-level protection against Rowhammer. ZebRAM isolates every DRAM row that contains data with guard rows that absorb any Rowhammer-induced bit flips; the only known method to protect against all forms of Rowhammer. Rather than leaving guard rows unused, ZebRAM improves performance by using the guard rows as an efficient, integrity-checked and optionally compressed swap space. ZebRAM requires no hardware modifications and builds on virtualization extensions in commodity processors to transparently control data placement in DRAM. Our evaluation shows that ZebRAM provides strong security guarantees while utilizing all available memory.

Title: On the Privacy Implications of Paid Website Subscriptions

Abstract: In recent years, revenues from online advertising have continued to decrease, prompting Web publishers, in particular the online portals of newspapers, to look for alternative ways of monetization. One option are paid website subscriptions, such as The Guardian's digital subscription, Reddit Premium, or the Washington Post's special subscription for EU residents. Some of these subscriptions are explicitly advertised to not only offer additional content but also to not use (targeted) online advertising, while others do not make such a claim. Those that do raise the expectation that paying for the service in question would improve the customer's privacy. This research project analyzes and compares the paid and free versions of websites with regard to Web tracking and the claims made by the respective website. Does paying for a service that is advertised to be ad-free actually enhance its visitors' privacy by not exposing them to targeted advertising? Does paying for a service that does not make such claims have any privacy benefits?

Title: Bad Neighbors - How your VPN Provider May Inadvertently Put You in Danger

Abstract: Virtual Private Network (VPN) solutions are used to connect private networks securely over the Internet. Besides their usefulness in corporate environments, VPNs are also used by privacy-minded users to preserve their privacy, and to go around censorship and geolocation-based content blocking. This has created a market for turnkey VPN services offering multitude of vantage points all over the world for a monthly price. While these providers are heavily using privacy and security benefits in their marketing, such claims are generally hard to measure and substantiate. While there exist some studies on the VPN ecosystem, all prior works omit a critical part in their analyses: how well do the providers configure and secure their network infrastructure? How well are they protecting their customers from other customers? To answer these questions, an automated measurement system was developed to perform large-scale analysis on tens of VPN providers and their thousands of vantage points. Our analyses base on the premise that VPN networks commonly use internal IP addresses for their routing. If not properly secured, this will inadvertently expose internal networks of these providers, or worse, other clients connected to their services.